git:master: auth_ims: New option to store authentication vectors using the IMPU only, instead of IMPI/IMPU.
24 Jun
2013
24 Jun
'13
11:13 p.m.
Module: sip-router
Branch: master
Commit: 14ef8ff8d460bc22f0df4793e11455487ea91aab
URL:
http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=14ef8ff…
Author: Carsten Bock <carsten(a)ng-voice.com>
Committer: Carsten Bock <carsten(a)ng-voice.com>
Date: Mon Jun 24 22:10:33 2013 +0200
auth_ims: New option to store authentication vectors using the IMPU only, instead of
IMPI/IMPU.
(this is required to work with some SIP-clients)
- added some more debug info
- replaced the hashing function with core_hash from Kamailio-core
---
modules/ims_auth/authims_mod.c | 2 +
modules/ims_auth/authorize.c | 42 ++++++++++++++++++++++++++----
modules/ims_auth/cxdx_mar.c | 3 +-
modules/ims_auth/doc/ims_auth_admin.xml | 21 +++++++++++++++
4 files changed, 61 insertions(+), 7 deletions(-)
diff --git a/modules/ims_auth/authims_mod.c b/modules/ims_auth/authims_mod.c
index 12070c6..0e94f69 100644
--- a/modules/ims_auth/authims_mod.c
+++ b/modules/ims_auth/authims_mod.c
@@ -86,6 +86,7 @@ int av_request_at_once = 1; /**< how many auth vectors to request in
a MAR *
int av_request_at_sync = 1; /**< how many auth vectors to request in a sync MAR */
char *registration_qop = "auth,auth-int"; /**< the qop options to put in the
authorization challenges */
str registration_qop_str = {0, 0}; /**< the qop options to put in the authorization
challenges */
+int av_check_only_impu = 0; /**< Should we check IMPU (0) or IMPU and IMPI (1), when
searching for authentication vectors? */
static str s_qop_s = {", qop=\"", 7};
static str s_qop_e = {"\"", 1};
@@ -139,6 +140,7 @@ static param_export_t params[] = {
{"registration_default_algorithm", STR_PARAM,
®istration_default_algorithm},
{"registration_qop", STR_PARAM, ®istration_qop},
{"ignore_failed_auth", INT_PARAM, &ignore_failed_auth},
+ {"av_check_only_impu", INT_PARAM, &av_check_only_impu},
{"cxdx_forced_peer", STR_PARAM, &cxdx_forced_peer_s},
{"cxdx_dest_realm", STR_PARAM, &cxdx_dest_realm_s},
{0, 0, 0}
diff --git a/modules/ims_auth/authorize.c b/modules/ims_auth/authorize.c
index 8b1904d..7f3e753 100644
--- a/modules/ims_auth/authorize.c
+++ b/modules/ims_auth/authorize.c
@@ -47,6 +47,7 @@
#include "../../ut.h"
#include "../../str.h"
#include "../../basex.h"
+#include "../../hashes.h"
#include "../../lib/srdb1/db.h"
#include "../../lib/srdb1/db_ut.h"
#include "../../dprint.h"
@@ -85,6 +86,7 @@ extern int add_authinfo_hdr;
extern int max_nonce_reuse;
extern str scscf_name_str;
extern int ignore_failed_auth;
+extern int av_check_only_impu;
auth_hash_slot_t *auth_data; /**< Authentication vector hash table */
extern int auth_data_hash_size; /**< authentication vector hash table size */
@@ -1162,6 +1164,12 @@ void free_auth_userdata(auth_userdata * aud) {
* @returns the hash % Auth_data->size
*/
inline unsigned int get_hash_auth(str private_identity, str public_identity) {
+if (av_check_only_impu)
+ return core_hash(&public_identity, 0, auth_data_hash_size);
+else
+ return core_hash(&public_identity, 0, auth_data_hash_size);
+/*
+
#define h_inc h+=v^(v>>3)
char* p;
@@ -1192,6 +1200,7 @@ inline unsigned int get_hash_auth(str private_identity, str
public_identity) {
h = ((h)+(h >> 11))+((h >> 13)+(h >> 23));
return (h) % auth_data_hash_size;
#undef h_inc
+*/
}
/**
@@ -1209,13 +1218,29 @@ auth_userdata * get_auth_userdata(str private_identity, str
public_identity) {
hash = get_hash_auth(private_identity, public_identity);
auth_data_lock(hash);
aud = auth_data[hash].head;
+ if (av_check_only_impu)
+ LM_DBG("Searching auth_userdata for IMPU %.*s (Hash %d)\n",
public_identity.len, public_identity.s, hash);
+ else
+ LM_DBG("Searching auth_userdata for IMPU %.*s / IMPI %.*s (Hash %d)\n",
public_identity.len, public_identity.s,
+ private_identity.len, private_identity.s, hash);
+
while (aud) {
- if (aud->private_identity.len == private_identity.len &&
- aud->public_identity.len == public_identity.len &&
- memcmp(aud->private_identity.s, private_identity.s,
private_identity.len) == 0 &&
- memcmp(aud->public_identity.s, public_identity.s, public_identity.len)
== 0) {
- return aud;
- }
+ if (av_check_only_impu) {
+ if (aud->public_identity.len == public_identity.len &&
+ memcmp(aud->public_identity.s, public_identity.s, public_identity.len) == 0)
{
+ LM_DBG("Found auth_userdata\n");
+ return aud;
+ }
+ } else {
+ if (aud->private_identity.len == private_identity.len &&
+ aud->public_identity.len == public_identity.len &&
+ memcmp(aud->private_identity.s, private_identity.s, private_identity.len) ==
0 &&
+ memcmp(aud->public_identity.s, public_identity.s, public_identity.len) == 0)
{
+ LM_DBG("Found auth_userdata\n");
+ return aud;
+ }
+ }
+
aud = aud->next;
}
/* if we get here, there is no auth_userdata for this user */
@@ -1408,6 +1433,11 @@ int add_auth_vector(str private_identity, str public_identity,
auth_vector * av)
aud = get_auth_userdata(private_identity, public_identity);
if (!aud) goto error;
+ LM_DBG("Adding auth_vector (status %d) for IMPU %.*s / IMPI %.*s (Hash
%d)\n", av->status,
+ public_identity.len, public_identity.s,
+ private_identity.len, private_identity.s, aud->hash);
+
+
av->prev = aud->tail;
av->next = 0;
diff --git a/modules/ims_auth/cxdx_mar.c b/modules/ims_auth/cxdx_mar.c
index 2ec113b..4fa7e17 100644
--- a/modules/ims_auth/cxdx_mar.c
+++ b/modules/ims_auth/cxdx_mar.c
@@ -154,7 +154,6 @@ void async_cdp_callback(int is_timeout, void *param, AAAMessage *maa,
long elaps
goto error;
}
-
//get each individual element from the MAA
cxdx_get_result_code(maa, &rc);
cxdx_get_experimental_result_code(maa, &experimental_rc);
@@ -388,6 +387,8 @@ success:
//TODO need to confirm that removing this has done no problems
//tmp->auth_data->code = -tmp->auth_data->code;
+ LM_DBG("Added new auth-vector.\n");
+
tmp = tmp->next;
}
diff --git a/modules/ims_auth/doc/ims_auth_admin.xml
b/modules/ims_auth/doc/ims_auth_admin.xml
index a7e4649..56eb972 100644
--- a/modules/ims_auth/doc/ims_auth_admin.xml
+++ b/modules/ims_auth/doc/ims_auth_admin.xml
@@ -313,6 +313,27 @@ modparam("ims_auth", "ignore_failed_auth", 1)
</example>
</section>
+ <section>
+ <title><varname>av_check_only_impu</varname>
(integer)</title>
+
+ <para>When storing the authentication vectors for an account, use either
IMPI/IMPU (=0, default) or IMPU (=1).</para>
+ <para>In case the IMPI is different from the IMPU, this option needs to be
enabled to allow registration from
+ classic "SIP-clients", such as Snom phones and others, as they do not
send an authentication username in the first REGISTER.</para>
+ <para>Default value is <quote>0</quote> (store authentication
vectors based on IMPI/IMPU).</para>
+
+ <example>
+ <title><varname>av_check_only_impu</varname> parameter
usage</title>
+
+ <programlisting format="linespecific">
+...
+modparam("ims_auth", "av_check_only_impu", 1)
+...
+</programlisting>
+ </example>
+ </section>
+
+
+
</section>
<section>
4171
days inactive
4171
days old
0 comments
1 participants
participants (1)
-
admin@sip-router.org